[ISN] INFOSEC: Certifiably Certified

From: InfoSec News (isnat_private)
Date: Wed Oct 23 2002 - 23:44:39 PDT

  • Next message: InfoSec News: "Re: [ISN] Cyber bill gets boost"

    Forwarded from: Richard Forno <rfornoat_private>
    As security certifications become more plentiful, they are losing
    their real value.
    By Richard Forno Oct 23, 2002
    İ 2002 Securityfocus.Com
    A recent issue of SC Magazine, one of the information security
    industryıs cheerleading trade rags, featured a full-page advertisement
    with the following emblazoned across the top of the page: "How to
    increase your salary by 21.39% in 7 days or less."
    At first glance, I thought it was from the same people sending "Get
    Your Green Card Now" messages to USENET during the 1990s. But to my
    dismay I saw it was from a firm offering intensive bootcamp-style
    training to technology professionals to earn their security
    certifications from ISC2, Cisco, TruSecure, and a suite of other
    organizations.The advertisement also had the spamorific phrase "Get IT
    Security Certifications Fast" and cited research reports showing that
    certified people command higher salaries.
    This illustrated one of my latest pet peeves: certifications that are
    marketed more towards personal advancement and money than to training
    technology professionals for the demanding and important job of
    securing networks. Security certifications represent an industry
    paradox: they're becoming more numerous and easier to obtain, yet,
    bucking all laws of supply and demand, they seem to be more valuable
    on the job market.
    Acronyms or Experience
    From where I sit, security certifications are nothing more than a cash
    cow for the companies offering them (see here for a partial list).
    Rather than educating aspiring security pros how to secure valuable
    network resources, the wave of pyrrhic certifications is a means for
    non-technical recruiters and otherwise clueless corporate officers to
    separate resumes when hiring security people. The only problem is, the
    certifications don't necessarily guarantee that the holder is
    qualified to secure a network or to react to a potentially costly
    security incident. Instead of serving as a device for identifying
    qualified candidates for hiring, certifications are simply a time
    efficient way to sort resumes.
    Through clever marketing efforts of the certifying entity, HR
    personnel may be led to believe that applicants without such
    credentials are not legitimate candidates for the job. The other side
    of this coin is that these efforts will likely lead HR people to
    conclude that the possession of a cert is evidence of adequate,
    working knowledge of information security. As a result, a seasoned
    veteran with years of hands-on experience in hardening systems will be
    deemed less qualified than a wet-behind-the-ears pup with three or
    four fancy acronyms behind his name.
    Some of these certifications are offered by established credible
    entities such as SANS. But there are others from more dubious sources
    that donıt provide much in the way of information about its
    certification program contents or instructor expertise. All come with
    fancy diplomas and letters you can use on business cards to look down
    on other who donıt have the intelligence or ability to accumulate an
    alphabet soup of letters after their name. But all of these acronyms
    are so much hollow clanging: sound and fury signifying nothing. Not
    only that, but most must be renewed every few years ­ thereby
    guaranteeing a perpetual stream of income pouring into the coffers of
    the certificate-granting 'authority,' Ka-ching!
    Obviously, it's not about security, it's about the money, stupid.
    Too many people forget that letters after your name donıt make you a
    better security or technology professional. The problem is that many
    certifications are simply not stringent enough. The emphasis is not on
    establishing compliance for rigorous industry standard, but in
    generating revenue for the certifying body. Given enough time and
    money to throw at the challenge anyone with half a clue about security
    can pass a test or write a halfway-acceptable paper, particularly when
    many certifications are granted on a pass/fail basis, the threshold of
    which may be as low as sixty per cent. Furthermore, candidate can
    often challenge substandard marks thereby snatching an undeserved
    certification from the jaws of failure. Letıs face it, if your
    security administrator is only capable of protecting against sixty per
    cent of exploits, your network will be a playground for malicious
    Introducing people into a trusted internal environment and charging
    them to protect it simply because they appear to be competent in the
    eyes of a third party is foolish. Haphazardly hiring security
    personnel on the basis of a certification for which there is not even
    a standard (such as ISO 17799) is a reckless endangerment of the
    hiring organization's resources. Furthermore, given the interconnected
    nature of the Internet, in some cases, this has the real possibility
    of adversely affecting security across the Internet in general.
    Doing the Time to Prevent the Crime
    Having been a Chief Security Officer for a multi-billion dollar
    company, my hiring philosophy is this: give me someone with an
    outstanding command of the basics of systems and networks (which
    includes security fundamentals) and years of demonstrated operational
    experience "in the trenches" over someone with a few years of training
    and a few certifications anytime. Expertise and professional
    competence in anything comes from time doing the work, either
    professionally or as a hobby. Certifications are great ways to impart
    theoretical knowledge, but they are no substitute for real-world
    experience and lessons-learned in the workplace.
    If a candidate for a security position is competent, you'll find that
    out by due diligence during the interview process and reference checks
    easily enough. But if theyıre truly professional, their successful
    history in technology security operations and management and ongoing
    writing, speaking, or teaching activities among their colleagues
    verifies their security competencies far more effectively than any
    certification or training regime.
    Someone who truly knows how to implement security the right way should
    be evaluated and respected accordingly by their demonstrated work
    experience and by a diligent informed interview process conducted by
    security professionals. They should not be hired by an HR hack who
    knows nothing about security but the acronyms of numerous half-baked
    Now, for a Limited Time Only...
    That having been said, I'm happy to announce that I'm going into the
    certification business. If anyone cares to send me $500 and copies of
    their alphanumeric passwords, I'll return to them a diploma conferring
    on them the title "Certified Strong Password-Using Professional"
    (CSPUP) that's good for four years from the date on their check or
    money order.
    Within weeks, you'll be worth more as a security professional in the
    eyes of your employer. Trust me.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 02:24:15 PDT